How to fix Trust Boundary Violation flaw in Java Web application

java security veracode
user1782009 picture user1782009 · Feb 20, 2013 · Viewed 26.1k times · Source

I am receiving a Trust Boundary Violation from Veracode. My code is 

userName= req.getParameter(Constant.USERNAME);
session.setAttribute(Constant.USERNAME, userName); //At this line i am getting Trust Boundry Violation flaw.

How can I validate userName to avoid a trust boundary violation flaw?

Answer

John Smith picture John Smith · Feb 20, 2013

Simply use a regular expression to validate the userName according to the rules your usernames follow:

if(userName.matches("[0-9a-zA-Z_]+")
     session.setAttribute(Constant.USERNAME, userName);

Related questions

Veracode XML External Entity Reference (XXE)

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, …

Read More
How to resolve External Control of File Name or Path (CWE ID 73)

I am working on fixing Veracode issues in my application. Veracode has highlighted the flaw "External Control of File Name or Path (CWE ID 73) " in below code. Thread.currentThread().getContextClassLoader().getResourceAsStream(lookupName) How do I validate the parameter? If I …

Read More
How to resolve CWE-259: Use of Hard-coded Password?

I submitted my application EAR to Veracode Security scanning tool and got this flaw in the below piece of code : private String url = "jdbc:mysql://localhost:8081/sql"; private String userName = "xyz"; private String password = "abc"; DriverManager.getConnection(url, user, password); // …

Read More